modules/secure-serverless-harness/main.tf (141 lines of code) (raw):

/** * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ locals { serverless_apis = [ "vpcaccess.googleapis.com", "compute.googleapis.com", "container.googleapis.com", "artifactregistry.googleapis.com", "run.googleapis.com", "cloudkms.googleapis.com", "dns.googleapis.com", "servicenetworking.googleapis.com" ] kms_apis = concat([ "cloudkms.googleapis.com", "artifactregistry.googleapis.com" ], var.security_project_extra_apis) network_apis = concat([ "vpcaccess.googleapis.com", "compute.googleapis.com", "dns.googleapis.com", "servicenetworking.googleapis.com" ], var.network_project_extra_apis) eventarc_identities = [for project in module.serverless_project : "serviceAccount:${project.services_identities["eventarc"]}"] gcs_identities = [for project in module.serverless_project : "serviceAccount:${project.services_identities["gcs"]}"] decrypters = join(",", concat(["serviceAccount:${google_project_service_identity.artifact_sa.email}"], local.eventarc_identities, local.gcs_identities, var.decrypters)) encrypters = join(",", concat(["serviceAccount:${google_project_service_identity.artifact_sa.email}"], local.eventarc_identities, local.gcs_identities, var.encrypters)) } resource "google_folder" "fld_serverless" { display_name = var.serverless_folder_suffix == "" ? "fldr-serverless" : "fldr-serverless-${var.serverless_folder_suffix}" parent = var.parent_folder_id == "" ? "organizations/${var.org_id}" : "folders/${var.parent_folder_id}" deletion_protection = var.folder_deletion_protection } module "network_project" { source = "terraform-google-modules/project-factory/google" version = "~> 17.0" count = var.use_shared_vpc ? 1 : 0 random_project_id = "true" activate_apis = local.network_apis name = var.network_project_name org_id = var.org_id billing_account = var.billing_account folder_id = google_folder.fld_serverless.name disable_services_on_destroy = var.disable_services_on_destroy deletion_policy = var.project_deletion_policy enable_shared_vpc_host_project = true } module "security_project" { source = "terraform-google-modules/project-factory/google" version = "~> 17.0" random_project_id = "true" activate_apis = local.kms_apis name = var.security_project_name org_id = var.org_id billing_account = var.billing_account folder_id = google_folder.fld_serverless.name disable_services_on_destroy = var.disable_services_on_destroy deletion_policy = var.project_deletion_policy } module "serverless_project" { source = "../service-project-factory" for_each = toset(var.serverless_project_names) billing_account = var.billing_account base_serverless_api = var.base_serverless_api org_id = var.org_id activate_apis = concat(local.serverless_apis, try(var.serverless_project_extra_apis[each.value], [])) folder_name = google_folder.fld_serverless.name project_name = each.value service_account_project_roles = try(var.service_account_project_roles[each.value], []) project_deletion_policy = var.project_deletion_policy disable_services_on_destroy = var.disable_services_on_destroy } resource "google_artifact_registry_repository" "repo" { count = var.base_serverless_api == "run.googleapis.com" ? 1 : 0 project = module.security_project.project_id location = var.location repository_id = var.artifact_registry_repository_name description = var.artifact_registry_repository_description format = var.artifact_registry_repository_format kms_key_name = module.artifact_registry_kms.keys[var.key_name] depends_on = [ time_sleep.wait_vpc_sc_propagation ] } resource "google_artifact_registry_repository_iam_member" "member" { for_each = var.base_serverless_api == "run.googleapis.com" ? module.serverless_project : {} project = module.security_project.project_id location = var.location repository = google_artifact_registry_repository.repo[0].repository_id role = "roles/artifactregistry.reader" member = "serviceAccount:${each.value.cloud_serverless_service_identity_email}" depends_on = [ time_sleep.wait_vpc_sc_propagation ] } module "artifact_registry_kms" { source = "terraform-google-modules/kms/google" version = "~> 4.0" project_id = module.security_project.project_id location = var.location keyring = var.keyring_name keys = [var.key_name] set_decrypters_for = [var.key_name] set_encrypters_for = [var.key_name] decrypters = [local.decrypters] encrypters = [local.encrypters] set_owners_for = length(var.owners) > 0 ? [var.key_name] : [] owners = [join(",", var.owners)] prevent_destroy = var.prevent_destroy key_rotation_period = var.key_rotation_period key_protection_level = var.key_protection_level depends_on = [ time_sleep.wait_vpc_sc_propagation, time_sleep.wait_service_identity_propagation ] } resource "google_project_service_identity" "artifact_sa" { provider = google-beta project = module.security_project.project_id service = "artifactregistry.googleapis.com" depends_on = [ time_sleep.wait_vpc_sc_propagation ] } resource "time_sleep" "wait_service_identity_propagation" { depends_on = [google_project_service_identity.artifact_sa] create_duration = var.time_to_wait_service_identity_propagation }